FedRAMP just got a new authorization track. Here's what it looks like.
FedRAMP got a new authorization track in 2025. It is already producing real authorizations. Most online guides still describe the old one.
Here is what FedRAMP 20x actually is, what is different about it, and what it means if you are running on AWS today.
The short version
FedRAMP 20x is a new authorization track the FedRAMP Program Management Office began rolling out in 2025. Phase 1 (for the Low impact level) is complete. Phase 2 (for Class C (Moderate), the level most B2B SaaS targets) ran invite-only from November 2025 through March 31, 2026, with a small number of cloud service providers across two cohorts. Aeroplicity reached FedRAMP Moderate through 20x on April 13, 2026, and authorizations have continued to trickle out from the cohort.
Public rollout (Phase 3) is targeted for the second half of FY 2026, roughly July through December on the calendar. That is when most readers of this article become eligible.
20x is real. It is not yet open to most companies. That changes later this year.
What is actually different
The headline change is the artifact you produce.
In the legacy track, you produce a System Security Plan: a long Word document that describes how your system implements each of the 300+ controls from NIST Special Publication 800-53. Reviewers read it. 3PAOs verify it. Federal employees turn pages.
In 20x, you produce structured machine-readable data instead. The format is called FRMR (FedRAMP Machine Readable). It is JSON. Reviewers ingest it as data. The FedRAMP PMO can run automated checks against it. Your team can generate it from your code rather than hand-write it about your code.
The other shift is what gets evidenced. Legacy FedRAMP organizes around 800-53 controls. 20x organizes around something called Key Security Indicators, or KSIs. There are 64 KSIs grouped into 11 themes. Each KSI references the underlying 800-53 controls, so the catalog you may have heard about is still there underneath. The user-facing surface is shorter, more outcome-focused, and easier for an engineer to recognize.
A KSI looks like this:
KSI-SVC-SNT — "Securing Network Traffic."
The statement says, in plain English, the system encrypts data in transit using approved cryptographic methods. The underlying 800-53 control is SC-8. The evidence is your TLS configuration on your load balancers, listeners, and service-to-service traffic.
That is something an engineer can point at. The legacy version was a paragraph in an SSP that referenced a control number that referenced a NIST publication.
What has not changed
Most of FedRAMP, actually.
You still need a 3PAO. They still test your controls. You still submit a package to a sponsoring agency or the FedRAMP PMO. You still receive an Authorization to Operate or you do not. You still maintain Continuous Monitoring for as long as you sell to federal customers. The actual security work does not get smaller. The format of the artifact gets smaller, more structured, and easier to automate.
Compliance used to be a Word document. It is becoming a JSON file.
That changes who has to do the work. Engineering teams have always been involved in FedRAMP, mostly as evidence providers handing material to a compliance lead who turned it into prose. The 20x model puts engineering closer to the artifact itself. If your infrastructure lives in your repo and your repo can produce the JSON the federal government wants, you have moved a meaningful part of the work into your existing engineering workflow.
What Phase 3 will look like
Phase 3 is what opens 20x to the wider market. Targeted for the second half of FY 2026, it is the moment when any qualifying CSP can pursue Moderate via 20x without an invitation.
The exact mechanics are not fully published yet. A new set of rules called the Consolidated Rules for 2026 (CR26) is expected at the end of June and will stay effective through December 31, 2028. CR26 will shape what Phase 3 actually requires. If your authorization will start in late 2026 or 2027, plan against 20x.
What this means if you are on AWS
The platform under your application has already done a lot of this work. AWS commercial regions are FedRAMP Moderate authorized today. AWS GovCloud is FedRAMP High authorized. Both offer inheritance arrangements you can use to evidence underlying infrastructure controls without re-doing them. 20x does not change the platform's authorization status. What it changes is how you describe and submit your application's authorization on top of that platform.
What to do this year
Three things, if you are planning ahead.
Read the FRMR catalog yourself. It is a single JSON file at github.com/FedRAMP/docs. Open it, look at the KSI structure, get the shape into your head. Thirty minutes with the actual file is worth many hours of articles.
Get your Terraform or CloudFormation under version control. 20x rewards teams whose infrastructure is codified, because their evidence is queryable. Half-codified, half-ClickOps infrastructure produces thinner submissions and a harder assessment.
Watch CR26. End of June 2026 is when the rules that govern Phase 3 land. If you are about to sign a consulting engagement that runs through that date, make sure your contract has a re-scoping clause.
The series
Part 1 — So your CEO just said we need FedRAMP. Start here.
Part 2 — You are here.
Part 3 — FedRAMP says your MFA probably doesn't count. Here's why.
Part 4 — The cost and time math, with numbers.
Part 5 — What is coming through 2028 so you can plan around it.